Five years after its inception, BITS, the technology group of the Financial Services Roundtable, says its fraud reduction program has made a dent in the industry’s losses.
The executives involved in the program said several initiatives — setting up a collective database, comparing fraud loss rates among institutions, and identifying weak spots in the processing of automated clearing house transactions — have helped reduce fraud rates.
Many more are in the works. One project is to create a central list of bank employees who have been caught stealing substantial property from their employer, to help institutions screen job applicants.
Forty of the 52 financial institutions participating in the program reduced their fraud losses by an average of 3% annually, compared with the average industry increase of 1%. The remaining 12 did not track losses.
One major but intangible accomplishment, the executives said, has been changing the mindset among participating bankers. In the past, many banks did not want to admit to having fraud losses or to describe them; under the auspices of the BITS program, the banks cleared the air and determined that denial was not a productive attitude.
“In our very first session, we agreed amongst ourselves that fraud was not a competitive issue,” said Shirley Inscoe, the strategic support manager for loss management and a senior vice president at Wachovia Corp. “Over this five-year period, we have shared a lot of information. I’m not aware of any instance where that trust was ever betrayed.”
Ms. Inscoe co-chaired the BITS fraud reduction steering committee, along with Bob Jones, the director of operating risk at FleetBoston Financial Corp. Both executives said in interviews Tuesday that, unlike in most other areas of banking, sharing strategies helps in the fraud department.
Comparing sensitive business data about losses and their breakdown required a leap of faith for the bank participants, Ms. Inscoe said. “We agreed that all of this information would be very closely held.” Performance comparisons against peers could be shared with upper management, but not with marketing departments or other business units, she said.
Colin Shearer, a vice president at the Chicago analytics firm SPSS Inc., said that a tight-lipped approach to fraud is sometimes a strategic decision. “They are embarrassed about the fact that they were defrauded in the first place. The thinking is, if they don’t talk about it, it isn’t happening.”
But BITS says the financial industry has accepted the idea that fraud is both inevitable and everyone’s problem. “There was a recognition that fraud is a zero-sum game,” Mr. Jones said.
For example, when credit unions recently joined the program — which houses nine working groups focusing on areas such as identity theft, Internet fraud, and electronic payments — larger members realized that “they go through the same stuff we do,” he said.
In the past, community banks and credit unions considered themselves in a different boat from large banks when it came to fraud. Five years ago, Ms. Inscoe said, many smaller institutions “did not have a major problem with fraud,” but that has since changed.
For example, banks that did not offer online banking “used to think they didn’t have to worry about the Internet,” but the electronification of checks and credit card payments has made institutions vulnerable to Internet fraud, even if online banking services have remained off their product menu, she said.
The alignment of such interests speaks to the ubiquity of fraud and to its potential reach.
“Fraud itself has not changed, but the method of perpetration has, partly because of the electronification of payment systems and the Internet,” Mr. Jones said. “Fraudsters are able to insert many more transactions into the system more quickly than they could before.”
According to Ms. Inscoe, recent sweeping cases of identity theft have illustrated that, “any time a merchant’s site or a major employer’s site is hacked into, we are part of the situation if any of our customers’ data was compromised.” No banks feel a sense of relief when there is a breach at another institution — because they know it can also happen to them at any time, she said.
Last year the BITS group met with vendors that process ACH transactions to address certain “holes” that had been diagnosed through collective (and confidential) research. The vendors were responsive, Mr. Jones said, and continue to work with BITS to adjust their procedures.
The group is also evaluating a unified hiring and screening program that would ensure that one institution’s bad apples do not enter another. Currently, institutions cannot keep public records of employees discharged for fraud when the amount stolen does not meet prosecutorial guidelines.
“We’re looking at the feasibility of establishing a database of those employees terminated for causes related to theft,” Mr. Jones said.
BITS is trying to see whether such a database could be used with due regard to privacy regulation. The USA Patriot Act gives institutions more leeway in setting up such a system, he noted.
Ms. Inscoe said that sharing more data across institutions and with law enforcement agencies could also lead to more prosecutions of fraud rings. “We would like to begin breaking up some of these rings instead of being victimized.”
Mr. Shearer at SPSS said fraud is notoriously difficult to detect, partly because it occurs so infrequently, affecting perhaps 1 in 10,000 accounts or less.
“You have very small needles in very large haystacks,” he said. “What you’re facing is a mass of data and simply a suspicion that something is there. You also have to accept that not all the data is available. There are so many things you don’t know.”
Discontinuities, including external events such as terrorist attacks, cannot be factored into predictive analytics, “but in many cases, those events will find their way into the data,” he said.
On the merchant side of the equation, bankers have been long frustrated with retailers’ slow — or, in many cases, nonexistent — adoption of fraud prevention methods. Programs developed by Visa U.S.A. and MasterCard International, marketed under the names Verified by Visa and SecureCode, are so far from obtaining a critical mass of users that some see them as ineffectual.
Katherine Hutchinson, the vice president of marketing at ClearCommerce Corp. in Austin, said that new chargeback rules set by the card associations will create more incentive for online merchants. ClearCommerce is one of the vendors that sells the software needed to run Verified by Visa and SecureCode.
Under current rules, Internet merchants, unlike their brick-and-mortar counterparts, assume all liability for fraudulent transactions. However, the card associations have started to shift that liability to banks for some Internet merchants if they use their authentication programs, which mostly involve processing a cardholder’s preregistered password.
Beginning April 5, Ms. Hutchinson said, if Internet merchants merely prompt Visa cardholders for a password — even if the cardholders, for whatever reason, do not enter one — those merchants will not be liable for chargebacks under Visa rules. “The merchants get the liability shift by just going through the motion.”
A Visa spokeswoman said that, in addition to adopting Verified by Visa, merchants who qualify for the liability shift must “follow the processing requirements for authorization, clearing, and settlement” and submit the authentication data properly through the network. She called the rule change “the next step in driving further adoption.”
Ms. Hutchinson conceded that it can difficult to get merchants to buy the software to run such programs. However, the liability shift should bring more merchants around, especially since they will no longer need to rely on consumer adoption to avoid liability, she said.
In November, MasterCard stopped holding any merchants that have installed the program liable for fraudulent transactions that are fully authenticated, a spokeswoman said.
Starting April 1 merchants in Asia/Pacific and Southeast Asia, the Middle East, and Africa that install SecureCode will avoid liability for all transactions.
